Although the Internet has had great successes in facilitating communications between computer systems and enabling electronic commerce, the computer systems connected to the Internet have been under almost constant attack by hackers seeking to disrupt their operation. Many of the attacks seek to exploit vulnerabilities of the application programs or other computer programs executing on those computer systems. One of the most destructive methods of attacking a computer system has been to send a “worm” to a computer program. A worm is a self-propagating attack that exploits vulnerability by taking control of the computer system and using that computer system to launch attacks against other computer systems with the same vulnerability.
Developers of applications and administrators of computer systems spare no effort and expense to identify and remove vulnerabilities. Because of the complexity of applications, however, it is virtually impossible to identify and remove all vulnerabilities before applications are released. After applications are released, developers may become aware of vulnerabilities in various ways. A party with no malicious intent may identify vulnerability in an application and may secretly notify the developer so that the vulnerability can be removed before hackers identify and exploit it.
Hackers can snatch control flow by writing a “desired” address into a code pointer referenced by an indirect branch instruction. If the indirect branch instruction is executed, program counter (PC) is set to point to the attackers' way. Most common code pointers in terms of frequency are return addresses stored in run time stack. Many protection schemes were proposed to guard the return address location, encrypt/hide the return address, or make a copy of the return address stack. However, little work has been done to handle other types of code pointers, particularly, the function pointers in the global offset table (GOT). GOT entries are set at run time by dynamic linker to link a program with a shared library.
Thus, there has been an increasing demand for a method and an apparatus capable of providing programs with effective protection schemes against attacks for acquiring control over computer systems by manipulating the code pointers to the functions without causing excessive overhead.